Information Security

Protect infrastructure by balancing business needs against security risks.

 

Always assume that an intrusion is underway

Threats:

• physical incidents like fires, floods,
• crime

all need a stable method for incident handling.

Set process to get systems and services back online quickly and securely

Computer and Network Hacker Exploits

Data leaking from your network could provide the clue for an attacker to blow the systems wide open.

First two phases of many computer attacks:

1. reconnaissance
2. scanning

Networks reveal an enormous amount of information to potential attackers.

Attackers conduct detailed scans of systems, scouring the openings to get through defenses.

Targets of opportunity:

• weak systems and firewalls,
• unsecured modems
• wireless local networks
• vulnerabilities

  Hackers trading exploits

Scanning:

• blind scans, and bounce scans to obscure their source and intentions.

Also targeting firewalls, attempting to understand and manipulate rule sets to penetrate networks.

Intrusion Detection System evasion.

Understand critical phases of an attack in detail.

Performing Reconnaissance

• What does the network reveal?
• Leaking too much information?
• Using Whois lookups, ARIN, RIPE and APNIC
• Domain Name System harvesting
• Data gathering from fob postings, web sites, and government databases
• Recon-ng
• Pushpin
• Identifying publicly compromised accounts
• Maltego
• FOCA for metadata analysis

Scanning

• Locating and attacking insecure wireless LANs
• War dialing with War-VOX for renegade modems and unlocked phones
• Port Scanning: Traditional, stealth, and blind scanning
• Active and passive Operating System fingerprinting
• Determining firewall filtering rules
• Vulnerability scanning using Nessus and other tools
• CGI scanning with Nikto

Intrusion Detection System (IDS) Evasion

• Foiling IDS at the network level: Fragmentation and other tricks
• Foiling IDS at the application level: Exploiting the rich syntax of computer languages
• Using Fragroute and Web Attack IDS evasion tactics
• Bypassing IDS/IPS with TCP obfuscation techniques

Network-Level Attacks

• Session hijacking: From Telnet to SSL and SSH
• Monkey-in-the-middle attacks
• Passive sniffing

Gathering and Parsing Packets

• Active sniffing: ARP cache poisoning and DNS injection
• DNS cache poisoning: Redirecting traffic on the Internet
• Using and abusing Netcat, including backdoors and nasty relays
• IP address spoofing variations

Operating System and Application-level Attacks

• Buffer overflows in-depth
• The Metasploit exploitation framework
• Format string attacks

Netcat: The Attacker’s Best Friend

• Transferring files, creating backdoors, and shoveling shell
• Netcat relays to obscure the source of an attack
• Replay attacks

Tools to use for prevention:

• InSSIDer for Wireless LAN discovery
• Nmap Port Scanner and Operating System fingerprinting tool
• Nessus Vulnerability Scanner
• Windows Command Line Kung-Fu for extracting Windows data through SMB sessions

• Sniffers, including Tcpdump
• Sniffer detection tools, including ifconfig, ifstatus, and promiscdetect
• Netcat for transferring files, creating backdoors and setting up relays
• Metasploit,
• ARP and MAC analysis for ARP cache poisoning attack detection

Have to examine how attackers gain access.

The next section covers the attacks in depth

Get hands-on experience and learn how to run sniffers and the Netcat tool.

Have to collect the attack tools and practice how they used in a test environment.

One of the attackers’ favorite techniques for compromising systems: worms.

Have to study the other often exploited area by attackers: web applications.

Look at the a taxonomy of nasty denial-of-service attacks.

Attackers can stop services or exhaust resources. We need to research what to do to prevent this from happening.

Hacking techniques

Password Cracking

• Analysis of worm trends
• Password cracking with John the Ripper
• Rainbow Tables
• Password spraying

Web Application Attacks

• Account harvesting
• SQL Injection: Manipulating back-end databases
• Session Cloning: Grabbing other users’ web sessions
• Cross-Site Scripting

Denial-of-Service Attacks

• Distributed Denial of Service: Pulsing zombies and reflected attacks
• Local Denial of Service

Lab exercises in controlled environment

• Password cracking
• Cross-site scripting and SQL injection web application attacks
• Detecting DoS attacks

Maintaining access and covering tracks.

Computer attackers install:

• backdoors,
• apply Rootkits,
• manipulate the underlying kernel to hide their presence

These categories of tools require specialized defenses to protect the underlying system.

List and study most commonly used malicious code specimens

Future trends in malware, including BIOS-level and combo malware possibilities

Attackers also cover their tracks by hiding files, sniffers, network usage, and active processes.

Additionally, super stealthy sniffing backdoors are increasingly being used to thwart investigations.

Attackers often alter system logs and attempt to make the compromised system appear normal.

Tools and techniques to detect and respond to activities on your computers and network.

Maintaining Access

• Backdoors: Using Poison Ivy, VNC, Ghost RAT, and other modern beasts
• Trojan horse backdoors: A nasty combo
• Rootkits: Substituting binary executables with nasty variations
• Kernel-level Rootkits: Attacking the heart of the Operating System (Rooty, Avatar, and Alureon)

Covering the Tracks

• File and directory camouflage and hiding
• Log file editing on Windows and Unix
• Accounting entry editing: UTMP, WTMP, shell histories, etc.
• Covert channels over HTTP, ICMP, TCP, and other protocols
• Sniffing backdoors and how they can mess up investigations unless one aware of them
• Steganography: Hiding data in images, music, binaries, or any other file type
• Memory analysis of an attack

• Specific scenarios showing how attackers use a variety of tools together
• Analyzing scenarios based on real-world attacks
• Learning from the mistakes of other organizations
• Where to go for the latest attack info and trends

Tools to master:

• RootKits and detection
• Detecting Backdoors with Netstat, lsof
• Hidden file detection with LADS
• Covert Channels using Covert_TCP
• HTTP Reverse Shells using Base64

Analysis

• Nmap port scanner
• Nessus vulnerability scanner
• Network mapping
• Netcat: File transfer, backdoors, and relays
• More Metasploit
• Exploitation using built-in OS commands
• Privilege escalation
• Advanced pivoting techniques

Preparing for the worst case scenario

Securing an infrastructure is a complex task of balancing business needs against security risks.

Incident Handling  six steps:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons learned

These actions have been proven effective in hundreds of organizations.

Preparation

• Building an incident response kit
• Identifying your core incident response team
• Instrumentation of the site and system

Identification

• Signs of an incident
• First steps
• Chain of custody
• Detecting and reacting to Insider Threats

Containment

• Documentation strategies: video and audio
• Containment and quarantine
• Pull the network cable, switch and site
• Identifying and isolating the trust model

Eradication

• Evaluating backup for faults
• Total rebuild of the Operating System
• Moving to a new architecture

Recovery

• Who makes the determination to return to production?
• Monitoring of system
• Expect an increase in attacks

Special Actions for Responding to Different Types of Incidents

• Espionage
• Inappropriate use

Incident Record-keeping

• Pre-built forms
• Legal acceptability

Incident Follow-up

• Lessons learned
• Changes in process for the future